Package: turba2 Version: 2.1.3-1 Severity: normal Access rights do not seem to be checked properly before allowing a user to edit address data as illustrated in the following example:
A user adds an address from his or her personal addressbook to a contact list in a shared address book. Now anybody who has write access to the shared address book can also edit this person's address data in the user's personal addressbook. In fact, after manually entering an object_id (which I looked up in the database) from somebody else's address book I found I could edit this data as well. So it seems that when edit.php is passed an object_id, the owner_id and the requesting user's access rights to the addressbook that the owner_id refers to aren't checked. Apparantly knowing the object_id is enough to be able to edit any address! I guess this is left over from the time address books couldn't be shared yet, based on the assumption that people wouldn't be able to guess the pseudo random 32 character id's. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
